1rpm_selinux(8) SELinux Policy rpm rpm_selinux(8)
2
3
4
6 rpm_selinux - Security Enhanced Linux Policy for the rpm processes
7
9 Security-Enhanced Linux secures the rpm processes via flexible manda‐
10 tory access control.
11
12 The rpm processes execute with the rpm_t SELinux type. You can check if
13 you have these processes running by executing the ps command with the
14 -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep rpm_t
19
20
21
23 The rpm_t SELinux type can be entered via the rpm_script_exec_t,
24 rpm_exec_t, debuginfo_exec_t file types.
25
26 The default entrypoint paths for the rpm_t domain are the following:
27
28 /usr/bin/dnf-[0-9]+, /usr/sbin/rhn_check-[0-9]+.[0-9]+,
29 /usr/libexec/yumDBUSBackend.py, /bin/rpm, /usr/bin/dnf, /usr/bin/rpm,
30 /usr/bin/yum, /usr/bin/zif, /usr/sbin/pup, /usr/bin/smart,
31 /usr/sbin/bcfg2, /usr/sbin/pirut, /usr/bin/apt-get, /bin/yum-builddep,
32 /usr/sbin/up2date, /usr/bin/apt-shell, /usr/bin/repoquery,
33 /usr/sbin/synaptic, /usr/sbin/yum-cron, /usr/sbin/rhn_check,
34 /usr/sbin/rhnreg_ks, /usr/bin/anaconda-yum, /usr/bin/yum-builddep,
35 /usr/sbin/packagekitd, /usr/bin/dnf-automatic, /usr/sbin/yum-updatesd,
36 /usr/bin/yum-deprecated, /usr/bin/package-cleanup, /usr/libexec/pack‐
37 agekitd, /usr/bin/fedora-rmdevelrpms, /usr/bin/rpmdev-rmdevelrpms,
38 /usr/sbin/system-install-packages, /usr/share/yumex/yum_childtask.py,
39 /usr/sbin/yum-complete-transaction, /usr/share/yumex/yumex-yum-backend,
40 /usr/libexec/rhc/rhc-package-manager-worker, /usr/libexec/pegasus/py‐
41 cmpiLMI_Software-cimprovagt, /usr/libexec/dnf-utils, /usr/bin/debug‐
42 info-install
43
45 SELinux defines process types (domains) for each process running on the
46 system
47
48 You can see the context of a process using the -Z option to ps
49
50 Policy governs the access confined processes have to files. SELinux
51 rpm policy is very flexible allowing users to setup their rpm processes
52 in as secure a method as possible.
53
54 The following process types are defined for rpm:
55
56 rpm_t, rpmdb_t, rpm_script_t
57
58 Note: semanage permissive -a rpm_t can be used to make the process type
59 rpm_t permissive. SELinux does not deny access to permissive process
60 types, but the AVC (SELinux denials) messages are still generated.
61
62
64 SELinux policy is customizable based on least access required. rpm
65 policy is extremely flexible and has several booleans that allow you to
66 manipulate the policy and run rpm with the tightest access possible.
67
68
69
70 If you want to control the ability to mmap a low area of the address
71 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
72 the mmap_low_allowed boolean. Disabled by default.
73
74 setsebool -P mmap_low_allowed 1
75
76
77
78 If you want to allow system to run with NIS, you must turn on the
79 nis_enabled boolean. Disabled by default.
80
81 setsebool -P nis_enabled 1
82
83
84
85 If you want to disable kernel module loading, you must turn on the se‐
86 cure_mode_insmod boolean. Disabled by default.
87
88 setsebool -P secure_mode_insmod 1
89
90
91
92 If you want to allow unconfined executables to make their heap memory
93 executable. Doing this is a really bad idea. Probably indicates a
94 badly coded executable, but could indicate an attack. This executable
95 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
96 echeap boolean. Disabled by default.
97
98 setsebool -P selinuxuser_execheap 1
99
100
101
102 If you want to allow unconfined executables to make their stack exe‐
103 cutable. This should never, ever be necessary. Probably indicates a
104 badly coded executable, but could indicate an attack. This executable
105 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
106 stack boolean. Enabled by default.
107
108 setsebool -P selinuxuser_execstack 1
109
110
111
113 The SELinux process type rpm_t can manage files labeled with the fol‐
114 lowing file types. The paths listed are the default paths for these
115 file types. Note the processes UID still need to have DAC permissions.
116
117 file_type
118
119 all files on the system
120
121
123 SELinux requires files to have an extended attribute to define the file
124 type.
125
126 You can see the context of a file using the -Z option to ls
127
128 Policy governs the access confined processes have to these files.
129 SELinux rpm policy is very flexible allowing users to setup their rpm
130 processes in as secure a method as possible.
131
132 EQUIVALENCE DIRECTORIES
133
134
135 rpm policy stores data with multiple different file context types under
136 the /var/lib/rpm directory. If you would like to store the data in a
137 different directory you can use the semanage command to create an
138 equivalence mapping. If you wanted to store this data under the /srv
139 directory you would execute the following command:
140
141 semanage fcontext -a -e /var/lib/rpm /srv/rpm
142 restorecon -R -v /srv/rpm
143
144 STANDARD FILE CONTEXT
145
146 SELinux defines the file context types for the rpm, if you wanted to
147 store files with these types in a different paths, you need to execute
148 the semanage command to specify alternate labeling and then use re‐
149 storecon to put the labels on disk.
150
151 semanage fcontext -a -t rpm_exec_t '/srv/rpm/content(/.*)?'
152 restorecon -R -v /srv/myrpm_content
153
154 Note: SELinux often uses regular expressions to specify labels that
155 match multiple files.
156
157 The following file types are defined for rpm:
158
159
160
161 rpm_exec_t
162
163 - Set files with the rpm_exec_t type, if you want to transition an exe‐
164 cutable to the rpm_t domain.
165
166
167 Paths:
168 /usr/bin/dnf-[0-9]+, /usr/sbin/rhn_check-[0-9]+.[0-9]+,
169 /usr/libexec/yumDBUSBackend.py, /bin/rpm, /usr/bin/dnf,
170 /usr/bin/rpm, /usr/bin/yum, /usr/bin/zif, /usr/sbin/pup,
171 /usr/bin/smart, /usr/sbin/bcfg2, /usr/sbin/pirut, /usr/bin/apt-
172 get, /bin/yum-builddep, /usr/sbin/up2date, /usr/bin/apt-shell,
173 /usr/bin/repoquery, /usr/sbin/synaptic, /usr/sbin/yum-cron,
174 /usr/sbin/rhn_check, /usr/sbin/rhnreg_ks, /usr/bin/anaconda-yum,
175 /usr/bin/yum-builddep, /usr/sbin/packagekitd, /usr/bin/dnf-auto‐
176 matic, /usr/sbin/yum-updatesd, /usr/bin/yum-deprecated,
177 /usr/bin/package-cleanup, /usr/libexec/packagekitd, /usr/bin/fe‐
178 dora-rmdevelrpms, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/system-
179 install-packages, /usr/share/yumex/yum_childtask.py,
180 /usr/sbin/yum-complete-transaction, /usr/share/yumex/yumex-yum-
181 backend, /usr/libexec/rhc/rhc-package-manager-worker,
182 /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt
183
184
185 rpm_file_t
186
187 - Set files with the rpm_file_t type, if you want to treat the files as
188 rpm content.
189
190
191
192 rpm_log_t
193
194 - Set files with the rpm_log_t type, if you want to treat the data as
195 rpm log data, usually stored under the /var/log directory.
196
197
198 Paths:
199 /var/log/dnf.log.*, /var/log/dnf.rpm.log.*, /var/log/dnf.li‐
200 brepo.log.*, /var/log/hawkey.*, /var/log/up2date.*,
201 /var/log/yum.log.*
202
203
204 rpm_script_exec_t
205
206 - Set files with the rpm_script_exec_t type, if you want to transition
207 an executable to the rpm_script_t domain.
208
209
210
211 rpm_script_tmp_t
212
213 - Set files with the rpm_script_tmp_t type, if you want to store rpm
214 script temporary files in the /tmp directories.
215
216
217
218 rpm_script_tmpfs_t
219
220 - Set files with the rpm_script_tmpfs_t type, if you want to store rpm
221 script files on a tmpfs file system.
222
223
224
225 rpm_tmp_t
226
227 - Set files with the rpm_tmp_t type, if you want to store rpm temporary
228 files in the /tmp directories.
229
230
231
232 rpm_tmpfs_t
233
234 - Set files with the rpm_tmpfs_t type, if you want to store rpm files
235 on a tmpfs file system.
236
237
238
239 rpm_var_cache_t
240
241 - Set files with the rpm_var_cache_t type, if you want to store the
242 files under the /var/cache directory.
243
244
245 Paths:
246 /var/cache/dnf(/.*)?, /var/cache/yum(/.*)?,
247 /var/spool/up2date(/.*)?, /var/cache/PackageKit(/.*)?
248
249
250 rpm_var_lib_t
251
252 - Set files with the rpm_var_lib_t type, if you want to store the rpm
253 files under the /var/lib directory.
254
255
256 Paths:
257 /var/lib/dnf(/.*)?, /var/lib/rpm(/.*)?, /var/lib/yum(/.*)?,
258 /var/lib/PackageKit(/.*)?, /usr/lib/sysimage/rpm(/.*)?,
259 /var/lib/alternatives(/.*)?, /var/lib/rpmrebuilddb.*(/.*)?
260
261
262 rpm_var_run_t
263
264 - Set files with the rpm_var_run_t type, if you want to store the rpm
265 files under the /run or /var/run directory.
266
267
268 Paths:
269 /var/run/yum.*, /var/run/PackageKit(/.*)?
270
271
272 rpmdb_exec_t
273
274 - Set files with the rpmdb_exec_t type, if you want to transition an
275 executable to the rpmdb_t domain.
276
277
278 Paths:
279 /usr/bin/rpmdb, /usr/lib/rpm/rpmdb_migrate
280
281
282 rpmdb_tmp_t
283
284 - Set files with the rpmdb_tmp_t type, if you want to store rpmdb tem‐
285 porary files in the /tmp directories.
286
287
288
289 Note: File context can be temporarily modified with the chcon command.
290 If you want to permanently change the file context you need to use the
291 semanage fcontext command. This will modify the SELinux labeling data‐
292 base. You will need to use restorecon to apply the labels.
293
294
296 semanage fcontext can also be used to manipulate default file context
297 mappings.
298
299 semanage permissive can also be used to manipulate whether or not a
300 process type is permissive.
301
302 semanage module can also be used to enable/disable/install/remove pol‐
303 icy modules.
304
305 semanage boolean can also be used to manipulate the booleans
306
307
308 system-config-selinux is a GUI tool available to customize SELinux pol‐
309 icy settings.
310
311
313 This manual page was auto-generated using sepolicy manpage .
314
315
317 selinux(8), rpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
318 setsebool(8), rpm_script_selinux(8), rpm_script_selinux(8)
319
320
321
322rpm 23-12-15 rpm_selinux(8)